Posted
by
timothy
on Sunday January 19, 2014 @02:21PM
from the at-least-everyone's-using-msie dept.

wiredmikey writes "While the recent data breach that hit Target has dominated headlines lately, another massive data breach was disclosed this week that affected at least 20 million people in South Korea. According to regulators, the personal data including names, social security numbers, phone numbers, credit card numbers and expiration dates of at least 20 million bank and credit card users was taken by a temporary consultant working at the Korea Credit Bureau (KCB). The consultant later sold the data to phone marketing companies, but has since been arrested along with mangers at the companies he sold the stolen data to. A similar insider-attack occurred at Vodafone late last year when a contractor made off with the personal data of two million customers from a server located in Germany. According to a study from PwC, organizations have made little progress developing defenses against both internal and external attackers, and insiders pose just as great a security risk to organizations as outside attackers."

We need to get rid of the idiotic idea that quasi-public information like SSNs and CC numbers are "secret". Nobody should be able to impersonate you by knowing your SSN, anymore than they can by knowing your name. Likewise, we should get rid of mag-stripe CCs, and switch to a more secure system like much of the rest of the world already has. These data breaches are just a symptom of a deeper problem: No sane system should require that the same information be both secret and widely known.

We need to get rid of the idiotic idea that quasi-public information like SSNs and CC numbers are "secret".

I'm 38, my father is about twice my age. When I was a child I remember some philosophically strong arguments against the use of SSNs in any venue other than the government program they were created for. My father wasn't religious, though later I discovered myself the whole "number of the beast" thing (i.e. christian prophecy about things like the tattooed ID numbers on jewish prisoners of the nazis. To a lesser extent, the idea of humans viewed as consumer cattle by society. I.e. you can't buy or sell o

We need to get rid of the idiotic idea that quasi-public information like SSNs and CC numbers are "secret".

I'm 38, my father is about twice my age. When I was a child I remember some philosophically strong arguments against the use of SSNs in any venue other than the government program they were created for. My father wasn't religious, though later I discovered myself the whole "number of the beast" thing (i.e. christian prophecy about things like the tattooed ID numbers on jewish prisoners of the nazis. To a lesser extent, the idea of humans viewed as consumer cattle by society. I.e. you can't buy or sell or basically function in society without providing your unique numerical identifier to help you be tracked to that level of detail.

Now it seems we've infected south korea with our Social Security Number system. Que Sera Sera.

It doesn't matter that it is an SSN. An SSN is basically a unique identifier and whatever unique identifier would replace the SSN, it is still just as unsafe for all of the same reasons. If all of your banking, credit card, purchasing info is tied to one unique identifier, then anybody who gets that info could steal your identity.

The only real solution is to have separate identifiers for separate systems. That way if a system is compromised, only that one system is impacted. Of course, it would be as inconv

The only real solution is to have separate identifiers for separate systems.

NO NO NO!!! This is NOT the solution. The solution is to use identifiers for IDENTIFICATION and to use something completely different for AUTHENTICATION. Identifiers, by their very nature, are public or quasi-public information, and knowledge of them should never be used to authenticate anything.

This is the answer. Your identity never was, and still is not a secret. Only your authorization to draw money from your bank account needs to be reserved to you alone.

Chip and PIN does a good job of this. The card will readily give up your identity, but that's not a problem. It requires you to enter your PIN into that exact chip that provides the authorization to access your money, and that authorization is tied to one and only one transaction.

This is the answer. Your identity never was, and still is not a secret. Only your authorization to draw money from your bank account needs to be reserved to you alone.

Chip and PIN does a good job of this. The card will readily give up your identity, but that's not a problem. It requires you to enter your PIN into that exact chip that provides the authorization to access your money, and that authorization is tied to one and only one transaction.

What it does not do is defend against the insider threat. The opposite end of the Chip and PIN cryptography needs to terminate in a Hardware Security Module that can't be tampered with, even by the bank employees.

Chip and pin won't correct what happened with Target. As long as the pin is constant. Most commercial bank customers, at least in our area use a key fob that generates a unique pin and changes every minute. My bank knows me by a certain user name and password. That combination is unique. But even if that were hacked, with out the separate key fob tied to that unique combination, you still cannot authenticate.

But, unless the CC is going to have a screen for the randomly generated pin, all you are doing is s

The only real solution is to have separate identifiers for separate systems.

NO NO NO!!! This is NOT the solution. The solution is to use identifiers for IDENTIFICATION and to use something completely different for AUTHENTICATION. Identifiers, by their very nature, are public or quasi-public information, and knowledge of them should never be used to authenticate anything.

That is what we currently have. Target was hacked and the identifier and the code for authorization was stolen. My authorization code for Discover Card is totally different than VISA. However, if I used my Discover Card at Target (or evidently in Korea), then it is no longer secure and purchases can be made with it. In addition, since most online sites use your credit card to validate that you are a real person, the theives can validate as me on sites I have nothing to do with. At that point, they can do a

We need to get rid of the idiotic idea that quasi-public information like SSNs and CC numbers are "secret". Nobody should be able to impersonate you by knowing your SSN, anymore than they can by knowing your name. Likewise, we should get rid of mag-stripe CCs, and switch to a more secure system like much of the rest of the world already has. These data breaches are just a symptom of a deeper problem: No sane system should require that the same information be both secret and widely known.

Mag-stripe CCs, while easy to copy at the point of transaction aren't any less secure than the new CCs for online purchases. Regardless of technology to record information about the card, the moment you enter that information online, and it is stored in a database, it is possible to steal the database. One way around this would be to use a key fob that generates a unique pass code every time you use it, like many banks have for business customers. Of course, that makes the CC much less convenient and much m

I say: take the other approach: outsource everything from all companies to the same contractors. That way, everyone will know everything about everyone else.(people who don't get the joke should have another beer)

Eventually we're just going to have to face the fact that there is no data privacy anymore, whether accidental or intentional. Rather than hiding information through obscurity and security, some day I foresee global systems that have the "official" data publicly available, including the public keys used to identify people when they access their information services.

So the onus will be on retailers and others to have the user log in with their private key to identify themselves, rather than presenting a

nonsense, this is result of very poor security and no obscurity, using credit card number or ss # is silliness. Transactions with private keys and verification are the way to do things, this is a solved problem that the governments and credit card companies are not using.

But certain information is already publicly published, like your address in the online phone books. So why should it be a "big deal" if it gets stolen from some corporate database when the phone company is already publishing it for anyone to scrape? That's the other half of my point: we need to stop worrying about "private" data that is published. Theft of such data should be a non-issue.

As somebody who has worked in the software industry for decades now, I find it stunning that the Slashdot beta project has not been terminated yet. It's a failure in every single sense. The users here almost all absolutely hate it. It looks worse than the existing site. It functions worse than the existing site. I think it's slower than the existing site. There is so much wasted empty space. The fonts are harder to read. The discussion is much, much more difficult to follow. It's harder to post a comment. Being forced to use it unexpectedly affects users trying to use the existing site!

And those comparisons are to an existing Slashdot site that was Web 2.0-ified a while back, making it even shittier than the site that preceded it!

While we should be accustomed to social media web sites shitting all over their users with bad redesigns, Slashdot is really taking it a step beyond with this beta site. I can sincerely see a Digg v4-style disaster happening again if the beta site goes live, it's just that bad. The beta will drive away the few remaining users of value.

I sure hope that Slashdot does the right thing, and puts an end to this beta site project. Nothing good will come out of it, aside from lessons about what not to do. Everything about the beta site is just plain bad. Terminate the project, throw away the code, and move on. And do this well before the beta site ever replaces the current one!

It's funny, but this is the curse of "those who know best" and "you'll like it if we tell you to." See recent examples by Google, with G+, email, and 'tube commenting system. Universally hated by everyone, and they said fuck you./. is doing the same thing. You can bet it'll be shoved down everyone's throat, and then they'll wonder why their viewership is dropping through the floor. Much like how google is wondering why ad revenue is falling through the floor on the 'tube, and their getting investigated

As somebody who has worked in the software industry for decades now, I find it stunning that the Slashdot beta project has not been terminated yet. It's a failure in every single sense. The users here almost all absolutely hate it. It looks worse than the existing site. It functions worse than the existing site. I think it's slower than the existing site. There is so much wasted empty space. The fonts are harder to read. The discussion is much, much more difficult to follow. It's harder to post a comment. Being forced to use it unexpectedly affects users trying to use the existing site!

Completely screwing up something that has worked fine for years for no apparent benefit. That works for Microsoft, Google, Apple and others. Sound's like it's good to go.

Nearly any attack vector usable by an outsider is also usable by an insider, but the converse is not true. This means that insiders are the primary risk to consider, in fact insiders are almost the only risk you need to think about. "Almost" because attack vectors aren't the only consideration, you also have to look at motivations and capabilities, and it may be that external attackers have motivations or capabilities that insiders do not. In most contexts, though, if you can protect against insiders, addressing the remaining external risks will be trivial.

My day job is about securing a substantial database of very sensitive information, in a commercial context that has highly capable insiders. Insiders are, to a first approximation, the only attackers I think about. This sometimes annoys people who really want to say "But I can be trusted!" (but mostly are smart enough not to actually say it).

In my previous job, I was a security consultant, working with many fortune 500 firms, and the same viewpoint was the right perspective nearly all of the time there as well. Of course, most clients didn't want to hear that, because protecting against insider threats is generally hard, tedious and unsexy.

The whole technical implementation of a credit card is flawed. The banking industry desperately needs another solution, magnetic stripe and pin is toast, magnetic stripe, pin and chip is also toast (man in the middle attack) and to do an online payment you have to provide a card number, pin code and CCV. On an internet which is full of personal information, provided by users or hacked out of badly secured databases.
And instead of replacing what is flawed, insurances pay for the losses which are then cha

Even more, in most companies there's just no way to implement this. Data is just what they're working with and often the most basic security is bypassed or never implemented just because it's too bothersome while being without any immediately visible gain.

Come on, every admin out there will know that just too well. Security against attacks from the outside, yes. Security against attacks from the inside? Forget it. People need to work with the data and even just to make sure that people have only the access they really need often is so much bother that nobody wants to start with that.

This is baffling. Any decent country would look at the way the US uses these numbers and learn from our mistakes. I.e. have a number but don't make it the key to unlock credit or subject to tax refund abuse or any of the dozens of other ways SSNs are misused.

It's fairly easy to get to 'mostly secure' with off the shelf appliances and training/education. But each percentage more secure a network becomes beyond that point becomes exponentially more expensive in both IT implementation costs and user productivity lost. Unfortunately this cost is too much for a very large percentage of companies when it comes to their overall profitability from both the implementation and productivity end.

Personally I think the corporate world needs to shift away from maintaini

OK, ensure that punishment fits the crime by all means, and crooked employees have been yielding to temptation for centuries.Still, I can't help thinking that maybe, just maybe, if financial institutions developed their employees properly, and had enough of them, plus paid them just a fraction of their traders and CEOs, then they would have loyal, competent and trustworthy staff instead of having to rely on contractors.

Hey, they might even not have to spend that much money; I've been in plenty of situations